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Abstract 

This paper explores techniques to apply model-based 
reasoning to equipment and systems which exhibit 
dynamic behavior (that which changes as a function of 
time). The model-based system of interest is KATE-C 
(Knowledge based Autonomous Test Engineer) which is 
a C++ based system designed to perform monitoring and 
diagnosis of Space Shuttle electro-mechanical 
systems. Methods of model-based monitoring and 
diagnosis are well known and have been thoroughly 
explored by others 1 A short example is given which 
illustrates the principle of model-based reasoning and 
reveals some limitations of static, non-time-dependent 
simulation. This example is then extended to 
demonstrate representation of time-dependent behavior 
and testing of fault hypotheses in that environment. 

Model-Based Reasoning Overview 

Model-Based Reasoning is a technique which compares 
simulated measurement values with actual readings 
from the physical system and attempts to diagnose 
component failures when a significant discrepancy 
exists (see figure 1). 



To be practical for monitoring and diagnosis, the 
simulation should occur in real-time in parallel with 
operation of the process equipment. Inputs to the 
process equipment are sent to the simulator. The 
simulator computes expected values for each of the 
components in the equipment including measurements. 


When measurements predicted by the simulator 
disagree significantly with those observed in the 
process equipment, an anomaly has occurred. 
Anomalous behavior may indicate that some component 
of the process equipment has failed. 

Diagnosis is accomplished by generating fault 
hypotheses for various components and substituting 
these values in the simulator. The simulation is then re- 
calculated taking the failure into account. If the 
simulator now predicts measurements that agree with 
those observed, the fault hypothesis is reported as a 
plausible explanation for the anomalous behavior. 


To illustrate how this works, consider the system shown 
in figure 2. 
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Knowledge Base Example 
Figure 2 


This figure shows 
details inside the 
"process equipment" 
box and the 
"simulation software" 
box from Figure 1. 

Two solenoid 
valves are shown in 
the "process box" 
along with two relays 
which actuate the 
valves and a single 
fuse which provides 
power to the 
solenoids. In the 
"simulation box" is a 
knowledge base which 
represents this 
equipment. F 

represents the fuse, R 
the relays, C the relay 
coils, and V the 
solenoid valves. The 
arrows represent the 
calculation of the 
simulation. 

Commands from the 


outside are directed to the relay coils and the fuse. The 
fuse outputs to the relays; and they in turn, output 
power to the solenoids. Measurements of the valve 
positions are reported to the outside world. 

To further illustrate the technique, this knowledge-base 
may be represented by a spreadsheet. 

Figure 3a shows formulas in a Microsoft Excel 
Spreadsheet which simulates the equipment shown in 
Figure 2. When power is on or =TRUE, then the fuse is 








also =TRUE. When the fuse is =TRUE then the relays 
and valves may be turned on or off with command_1 and 
command_2. 
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Figure 3a (spreadsheet formulas) 


Figures 3b and 3c show the values calculated by the 
spreadsheet. Changing the value of any of the 
commands causes the spreadsheet to be recalculated. 
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Figure 3b spreadsheet values (command_1 =TRUE) 


For example, Setting command_1 =FALSE causes 
coil_1, relay_1 and valve„1 to be =FALSE. 
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Figure 3c spreadsheet values (command_1 =FALSE) 


Diagnosis can be demonstrated by setting one of the 
component values in the spreadsheet to a hypothetical 
failed value. Figure 3d shows failure of the fuse. The 
cell representing the fuse is set =FALSE. As a result, 
both relays and valves are turned off. 
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Figure 3d Diagnosis: (FUSE =FAILED) 


Externally, the failed system is configured the same as 
Figure 3b - both commands and power are on. If 
measurements of the valves in 3b read closed, this 
would represent an anomaly. The anomaly is resolved 
by the hypothetical failure inserted in 3d since the 
simulated measurements for the two valves agree with 
actual measurements resulting from a blown fuse. 


Adding a Time Dimension to Model-based 
Simulation 

In the past, KATE-C knowledge bases have 
represented time by means of components with state. 

A component with state 
is one in which its 
present value depends 
on its previous condition 
or state. Consider figure 
4, a latching relay. The 
relay stays on once the 
set command has been 
issued and until the 
clear command is 
activated. 


The spreadsheet for the 
latching relay is shown in 
figure 5. The spreadsheet simulating the relay contains 
a circular reference I.e. the formula for RELAY_3 refers 
to its old value. This works well and simulates the 
latching mechanism faithfully. 
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Figure 5 - Spreadsheet Formulas for Latch 


Unfortunately there is no way to tell solely from the 
inputs what the condition of this relay should be. The 
history of the set and clear commands must be known 
as well as the initial value of the relay. 

Another type of problem that has been represented by 
objects with state is a tank. The tank simulation 
references the previous value for its contents and the 
rate of flow filling the tank in order to compute the new 
level in the tank. In order to simulate a hypothetical 
failure, it is necessary to restore the model state of all 
components at the time of failure, insert a fault, re- 
simulate to TIME=NOW, and determine if the fault 
hypothesis is valid throughout the intervening time 
period. 

Freon Cooling Loop 

A current KATE-C application is an intelligent monitoring 
and diagnostic system for the Shuttle's Environmental 
Control and Life Support System (ECLSS). KATE 
encounters time-dependent anomalies which arise 
during the normal operation of ECLSS. For example, 
one of the ECLSS subsystems is a Freon cooling loop 
(figure 6) where excess heat from various avionic 
systems is transferred to the freon cooling loop and 
dissipated in one or more heat sinks. 



Figure 4 Latching Reiay 




Orbiter Freon Cooling Loop 
Figure 6 



Figure 7 
The Bucket Brigade Problem 


A anomaly arises when unanticipated changes in Freon 
temperature occur. Changes in heat which is added or 
subtracted from the circulating freon do not show up 
until minutes after a component failure when hotter or 
colder freon than expected reaches a measurement 
further around the loop. 

For example, when the Orbiter's Ground Support Heat 
Exchanger loses ground cooling, the hotter 
temperatures take anywhere from 30 seconds to three 
minutes to start showing up at remote measurement 
points. The problem is to represent this type of dynamic 
effect in a way that will allow us to diagnose such a fault 
as though its gradual, time-dependent measurement 
anomalies had happened instantly. 

Alternatives to Objects With State 

An alternative representation of time in such situations 
may be useful for model-based diagnosis and monitoring 
systems. One such representation is illustrated with 
the help of an example called the Bucket Brigade 
Problem. In this scenario, buckets of sand travel on a 
conveyor belt from left to right. At the beginning of the 
line, buckets pass under two hoppers which deliver 
sand at a controlled rate. The moving buckets are thus 
partially filled with sand. A load sensor under the 
conveyor measures the weight of the buckets at the end 
of the belt. This problem is time dependent because an 
unanticipated change (fault) in delivery rate from one of 
the hoppers will not be detected until some time later 
when the bucket passes over the load sensor. 


In order to solve this problem, a knowledge base is used 
which represents bucket weights and sand delivery at 
several discrete intervals of time. By representing 
several time intervals to KATE-C simultaneously, it is 
possible to determine the time and nature of a fault as 
long as it occurs within the limits of time represented in 
the Knowledge Base. 
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Figure 8 - Bucket Brigade Spreadsheet^ = unknown value) 


Sand in A for time=NOW is determined by the fill rate at 
A for T=NOW. Sand at B NOW is determined by the fill 
rate at A at T-1. Sand in C is A:T-2 +C:NOW. and so 
forth. Here are the formulas for the first 2 rows of Bucket 
data: 
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Figrure 9 - Bucket Formulas 


To get an idea of how this model works consider Figure 
8. With fill rates at A and C steady for the last 14 time 



periods, the weight in Bucket E will be a constant 4 
pounds. 

If the delivery rate of sand at A fails to 0 pounds at T-5 
as shown in figure 10, the measurement at E will begin to 
register 1 pound instead of 4 at T-1. This simultaneous 
representation of model values and time in the 
knowledge base enables a fault hypothesis with a 
specified time (A, 0 pounds, T-5) to be correctly 
diagnosed. 
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Figure 10 - Fill rate at A failed to 0 at T-5 
(* = unknown value) 


A Loop of Buckets 

The bucket problem is somewhat trivial. To demonstrate 
that this technique can be extended to a problem such 
as the freon loop consider the following modification to 
our bucket apparatus: 



Figure 1 1 - A turntable of buckets - plan view 


Instead of falling off the end of the conveyor belt and 
dumping its load of sand, suppose that the bucket at E 
is recycled to A without emptying its load. We can 
represent the load at A by reference to the load at E at 
time T-1. Figure 12 represents the formulas for the first 
two rows of the spreadsheet: 
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Figrure 12 - Bucket Loop Formulas 


If the sand is delivered at the same rate as before at A 
and C, the weight In the buckets will accumulate over 
time as shown In the following table: 
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Figure 13 - Bucket Loop Results 


Because the sand is delivered to the buckets at two 
different rates and because both delivery points are at 
one side of the table, weight in the buckets increases as 
time passes, but the measurement history has a 
somewhat choppy appearance. The profile of the 
measurement history at E is as follows: 


Weight at E vs Time 
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Figure 14 - Measurement history at E 











If the sand delivery at A fails to 0 pounds at time T-7, the 
following pattern emerges in the spreadsheet: 



Figure 15 - Bucket Loop Results with failure of A at T-7 


The measurement history with a failed delivery at A is 
unusual because of the unique features of the system. 
Such a fault would be difficult to diagnose intuitively. 
Reference to the model gives the engineer the 
advantage of being able to recognize the effects of 
various faults more quickly and decisively. The profile 
of the measurement history at E with the failure at A is 
as follows: 



The method used here to track successive revolutions 
of the turntable in may be easily extended to calculate 
temperatures in the Shuttle Freon Cooling Loop. The 
circulating freon can be divided Into discrete segments 
in the math model as follows: 
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Figure 17 - Freon Loop divided into Segments 


In Figure 12, the weight in bucket A was defined as 
follows: =U4+S5. This is simply the weight delivered by 
hopper A plus the weight in bucket station E at time T-1. 
To calculate temperatures for the circulating freon, 
assume that the incoming freon to segment A of the loop 
is the temperature of segment E modified by the ground 
coolant temperature and the heat exchange coefficient 
of the heat exchanger. 

For time NOW, This could be expressed as =Coef A*(U4- 
S5)+S5 where CoefA Is the heat exchanger 
coefficient, U4 is the temperature of the ground coolant 
and S5 is the temperature of fluid segment E at time T- 
1. The temperature of segment B would simply be 
=CoefA*(U5-S6)+S6. The temperature of segment C 
would be =CoefC*(V4-(CoefA*(U6-S7)+S7))+CoefA*(U6- 
S7)+S7 where CoefC is the heat exchange coefficient 
of the avionics cold plate, V4 is the temperature of the 
avionics cold plate, and S6 and S7 are the 
temperatures of segment E at time T-2 and T-3 
respectively. 

Conclusion 

It has been shown that simultaneous representation of 
discrete intervals of time in a process simulation can 
enable efficient monitoring and diagnosis of faults that 
may manifest themselves dynamically or as a function 
of time. The key to this technique is to avoid implicit 
representation of components with state in the 
simulation model; that is, cells that would be defined as 
circular references in a spreadsheet model. The author 
believes that most simulations that have instances of 
such circular references can be easily modified to 
explicit representation of discrete intervals of time and 
that improved diagnostic and monitoring performance 
can be achieved as a result. 
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